As the Internet evolves and identity theft criminals get more and more tech-savvy, it isn’t any wonder the number of identity theft crimes has skyrocketed over the past few years.

To keep your personal information safe online, you’ll need to first know the most common methods thieves use to collect your information. That way, you can figure out what actions you’ll need to take to stop them.

These are:

Phishing: Phishing happens when a thief sends out an email under the guise of a legitimate company. The email in question will generally contain links to a very legitimate-looking website. Once the victim arrives at the website, he or she will be asked to give a bank account number, credit card number or other piece of personal data.

Spyware: Spyware is software that collects personal data from individuals’ own computers without them even knowing it. It infects their computers when they visit certain websites or open email attachments from unknown senders. Also, anyone with manual access to computers can install spyware on them.

Fraudulent e-commerce sites: Identity thieves often set up fraudulent e-commerce sites for goods they advertise through spam email blasts or on price comparison websites. When individuals place orders on these sites, identity thieves are able to capture their names, addresses, credit card numbers and other information.

Wireless network snooping: Tech-savvy identity thieves use this technique to connect to unsecured wireless networks and steal information from computer files or information that’s en-route from sender to its final destination.

Massachusetts ID theft law compliance deadline is today:

Any entity that employs and/or does business with Massachusetts residents must be in full compliance today, March 1, with our nation’s toughest ID theft law to date—Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).

Fines for noncompliance are steep and auditors from the MA Attorney General’s office will be coming any day now, are you prepared to show your compliance or face the facts?

Now is not the time for second guessing, call us now at 617-859-1777 and schedule your free 30 minute compliance overview in partnership with Foley and Foley law firm of Massachusetts.

Identity thieves can steal personal information from you at work, in public, online or even from your home (a place that so many of us think is a safe haven). The first step to protecting your information in all these places is knowing where the thieves will go to get their hands on it.

Let’s start off by looking at the workplace.

Personal information in any given workplace is vulnerable to the prying eyes and hands of permanent staff, temporary and contract workers or even the after-hours custodial staff that comes in and cleans the building every night.

If there’s an identity thief lurking in and around your workplace, chances are they’ll go for one of the following.

Unattended Personal Belongings: This includes both unattended purses and wallets as well as easily accessible personal documents employees may either keep at work of bring with them to work.

Employee personnel files: Any employee with access to the personnel files that are kept in HR has easy access to employees’ Social Security Numbers and DOB’s as well as a host of other data ID thieves may use to commit fraud.

Data in personnel files is especially vulnerable to threats from within an organization. A disgruntled employee or even a temp worker could steal employee personal information, sell it to an identity thief or use it themselves to commit fraud.

Effective monitoring is the key:

The information above goes to show that employers should carefully monitor access to all employee personal information. Certain vital details such as who has access to this information, how long they have access to it and what precise business or compliance need their access to this information will fulfill should be spelled out clearly in your Written Information Security Plan required by Massachusetts law 201 CMR 17.00 (which is enforceable the first of next month).

On top of this, employers should communicate to employees the importance of consistently monitoring all accounts they have in their name, checking for any unauthorized activity or the presence of any new accounts that they didn’t open themselves.

Individuals who steal your identity or credit card numbers depend on you not to look too closely at your bills and ensure that every charge on them was actually yours. “Small” charges of under $100 are often less scrutinized than larger amounts and thieves know this. That’s why you should never just “excuse away” unfamiliar and unauthorized charges, just because they appear small.

Deadline for Massachusetts Identity theft law 201 CMR 17.00 is just a week away:

One week from today, all businesses that “own, license, store or maintain” personal information on any Massachusetts residents must be fully compliant with the Commonwealth’s identity theft law 201 CMR 17.00. Is your company compliance-ready, and can you prove it to the auditor who may come knocking at your door?

To help Massachusetts businesses get compliance-ready, Universal Benefit Plans has partnered with local employment law firm Foley and Foley to offer a complimentary 30 minute compliance review for qualifying companies. Call us at 617-859-1777 to learn more and see if your company qualifies.

As discussed in the previous blog post, your passwords are often your only barrier protecting personal information from the prying eyes of identity thieves. So, it goes without saying that they should be kept both strong and secret.

We’ve gone over how to make your passwords strong, here are a 4 steps that you should take to make sure they’re kept secret:

1. Don’t write your passwords down: The safest place to store your passwords is clearly your own mind, which is why they should be relatively easy for you to remember. However, if you’re someone with a lot of different passwords to different accounts, you might need to write them down somewhere to remember which one is which.

If this is you, you’ll need to be extra careful about where you put them. Avoid keeping them in places that are easy for a thief to access, such as in your pocketbook, taped to the monitor of your keyboard or even on a sticky note on the back of your mousepad.

2. Don’t use the “remember my passwords” setting: Whenever automatic logins and “remember my passwords” settings are enabled on your computer, anyone can sign into your computer as you and log in to all of your personal databases.

3. Don’t log into accounts containing personal information on public computers: Public computers include those in libraries, schools, universities or at an Internet café. Your passwords and usernames could be saved by the computer and used to access your accounts by someone else at a later date.

4. Don’t share your password with others: Also, as soon as anyone finds out your password, you should immediately change it (even if the person promised not to use it or tell anyone else).

Starting March 1, 2010, all businesses that “own, license, store or maintain” personal information on any Massachusetts residents must be fully compliant with the Commonwealth’s identity theft law 201 CMR 17.00. This means encryption, creation and implementation of a Written Information Security Plan and a whole host of other responsibilities must be completed by the end of this month.

Is your company compliance-ready, and can you prove it to the auditor who may come knocking at your door?

To help Massachusetts businesses get compliance-ready, Universal Benefit Plans has partnered with local employment law firm Foley and Foley to offer a complimentary 30 minute compliance review for qualifying companies. Call us at 617-859-1777 to learn more and see if your company qualifies.

If you lived during the Middle Ages and had a castle, you’d want to prevent invaders from breaking in, destroying your property, kidnapping your loved ones, etc. So what would you do? Build a moat, correct?

Now most, if not all of you, would pull out all the stops to create the deepest, most crocodile-filled moat imaginable. After all, it would be your only barrier for keeping invaders out. When creating passwords for your personal information you should use this exact same logic.

That’s because just like a moat is the only barrier keeping invaders out of a castle, your passwords are often your only barrier standing between personal information and identity thieves.

All passwords you use to access personal information (both online and off) should be both strong and secret. This blog post will educate you on how to keep them strong.

What is a strong password?

A strong password is one that includes:

6 or more characters

Letters numbers and symbols

At least one case change

When creating your passwords, make sure that they are both easy for you to remember and difficult for others to guess. If your password contains two distinct words or proper names, make sure they are unrelated to one another.

One strategy you can use to create a strong, memorable password is to use the first letter of every word in a popular saying (making at least one of the letters uppercase) and add a number plus a symbol to the end. For example, a strong password using the popular saying “Speak softly and carry a big stick” might be Ss&cabs13.

Once you’ve set a strong password, you should also take the following precautions:

Never use the same password for more than one of your main accounts: If you do, it could take just one security breach to compromise everything in all of your accounts.

Change your passwords regularly: The Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) recommends that individuals change their passwords for access to personal information at least every 6 months. A helpful tip for reminding yourself to do this is to use a recurring event such as a time to change your password (i.e. change your password every daylight savings time).

For any entity that employs and/or does business with Massachusetts residents, OCABR has passed our nation’s toughest ID theft law to date—Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).

Businesses must be fully compliant with the law by March 1, 2010. Is all your company’s personal information on Massachusetts residents encrypted and/or protected? Do you have a Written Information Security Plan in place?

These are just a few of the 201 CMR 17.00 requirements that must be met. Attend our free webinar February 11th at 2 pm and in just 30 minutes you’ll know the answers to these questions plus so much more.

02/01/2010

Identity theft is a huge and costly problem. In fact, it has recently surpassed drug trafficking as the number one crime in the nation and claims one new victim every 3 seconds.

Identity theft can happen to anyone and its results are devastating: stolen funds, a tarnished credit rating and obligations to pay off debt that isn’t even your own.

To keep from becoming victims of identity theft, all individuals should:

Keep sensitive personal information under wraps

Learn to recognize and put a stop to common identity theft strategies

Act quickly to limit damage

This blog post will focus on keeping sensitive personal information under wraps, and knowing what identity thieves want is a logical first step to keeping personal information safe. That’s because when you know what identity theft criminals want from you (and what they’d do with it) you’ll know exactly what personal details to keep safe and secure.

The following table shows you what common pieces of personal information identity theft criminals want and why they want it.

Type of Information

Why ID theft criminals want it

Social Security Number (SSN)

Your social security number uniquely identifies you for employment and credit purposes and serves as the gateway to all your financial information

Date of Birth

Your date of birth (especially if used alongside your SSN) can be used by an ID theft criminal to verify your identity

Financial Account Numbers

This includes bank account numbers and credit card numbers. ID theft criminals can use them to take money out of your accounts or make payments both over the phone and online.

Mother’s maiden name

ID theft criminals want this information because it’s often used to verify an individual’s identity and authorize access to their financial information.

PIN numbers and passwords

These allow access to banking, credit card and online accounts

Driver’s license number

This number can be used by ID theft criminals to obtain a fraudulent ID

Starting March 1, 2010 The Commonwealth of Massachusetts Attorney General’s office will begin enforcing Regulation 201 CMR 17.00. The Regulation is designed to prevent identity theft and it’s the toughest identity theft law for businesses in our nation to date.

Is your company up to speed with compliance? Can you afford not to be?

Update all firewalls and system security measures on all computers that store and process personal information

Although Massachusetts’ identity theft law is the strictest in our nation to date, there could soon be a Federal law not too unlike 201 CMR 17.00—although the details of this law haven’t quite been ironed out yet.

The Personal Data Privacy and Security Act of 2009:

Senator Patrick Leahy, a Vermont Democrat, is sponsoring a bill called the Personal Data Privacy and Security Act of 2009.

The bill contains the following provisions:

New Data Protection Standards: Private and government entities that keep personal data would be required to establish effective programs for ensuring that it’s kept confidential. These requirements include risk assessment and vulnerability testing as well as measures for controlling access to sensitive information, detecting and logging unauthorized personal information access, and protecting personal data both in transit and at rest.

New Federal Breach-Notification Standard: If a breach were to happen, companies would not only need to notify all individuals whose data was compromised, but in some cases, credit reporting agencies and the United States Secret Service as well.

An Office of Federal Identity Protection would be established as part of the Federal Trade Commission (FTC) to monitor data breaches and enforce identity theft law.

Breach notification exemptions: The law would provide private and government entities that have taken adequate measures to protect sensitive data (i.e. encryption) some exemptions from data breach notification requirements. Also, companies would not be required to immediately make a data breach notification if it gets in the way of a criminal investigation. However, both of these exemptions will need to be vetted by the US Secret Service.

Criminal penalties for executives that willfully conceal a data breach: Executives of companies that experience a data breach and willfully avoid notifying affected parties would be subject to criminal penalties under this new law.

Federal ID theft law will likely pre-empt state laws:

One major point to note about this bill is that if passed, it would pre-empt (i.e. nullify) state identity theft and data breach notification laws. This means that the rules of data security could change quite a lot for Massachusetts employers, although it hasn’t been established quite how much they’d change.

The Personal Data Privacy and Security Act of 2009 was approved November 2009 by the Senate Judiciary Committee and is currently under consideration by the full Senate.

We will keep very close tabs on Congress’ progress with this law and keep you posted on any major changes that occur.

01/07/2010

And it can come from many different people, from a dishonest co-worker, to a temp working in HR, even a visitor to your office building. If you’re not careful, any of these people can have access to your personal information—and who knows what they’ll do if they get their hands on it.

To keep sensitive information from falling into the wrong hands, here are 3 steps employers and employees both should take:

Keep your personal property in a safe place: Don’t leave your personal belongings such as purses, wallets and laptops unattended. Either have them on your person at all times or keep them in a locked place to which only you have the key. Also, make sure all documents you have containing personal information are either on an encrypted computer or stored in a locked file cabinet. When you’re away from your desk, make sure you never leave one of these files open on your computer or one of these cabinet drawers open.

Always assume your work computer is being monitored: That’s because many employers will routinely scan the content of employees’ email and monitor their Internet use. Because of this, employees should never use their work computers to access password-protected personal accounts, do online banking, send non work-related emails containing personal information or store documents with personally identifying information.

Maintain strict information security policies at your workplace: Among many other things, employers should restrict access of employee personnel data to authorized individuals only and make sure all files containing personal information are stored on encrypted computers, locked file cabinets or secure offsite facilities.

They should also educate employees on all information security measures they’re taking, train employees on their data security responsibilities and require them (as part of their jobs) to obey the data security policy.

11/04/2009

As you may know, Massachusetts’ upcoming law Standards for the Protection of Personal Information of Residents of the Commonwealth(201 CMR 17.00), requires all businesses that “own, license, store and maintain” personal information on any Massachusetts resident to create and implement a Written Information Security Plan (WISP).

Your WISP needs to be comprehensive and it must spell out all of your technical, physical and administrative safeguards for your personal information. If you’re company already has a WISP and it’s good to go for March 1, you’re definitely one step ahead of the game. However, you’re not off the hook just yet. You’ll need to continuously re-evaluate your plan in order to stay compliant.

Q:The Law requires companies to evaluate their WISP for comprehensiveness and effectiveness:

A) Once every year

B) Once every 5 years

C) Every time business practices change in a way that impacts personal information security

D) Both A and C

A:If you answered both A and C, then you are correct. Companies required to create and implement a Written Information Security Plan (WISP) are also required to annually evaluate it and re-train employees on it as well.

They are also required to do this whenever business practices change in a way that impacts personal information security. Here’s an example.

“Well we’re movin’ on up”

Let’s say a company is doing really well, is on a trajectory for growth and decides they need to move to a new (and larger) building for more office space. At their former location, the HR department had a small office in which physical files containing employee personal information were stored. The door was only open when the HR Manager or her assistant were in the office working, at all other times it was locked and only the two of them had the key.

At their new office building, a professional cleaning crew comes in every night and vacuums the floor of each office. Because of this, the HR Manager or her assistant would now need to secure all files containing employee personal information in locked file cabinets at the end of each day. They’ll also need to ensure that only the two of them have keys to this cabinet and that all of the above measures are added to their updated WISP.

Want to learn more about the law Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) and the many other things you must do to get your company compliant?

Q: The following are used to store and/or communicate employee benefits information.

Files on your hard drive

A fax machine

An HRIS system

Email

Of these 4 options, 3 are encryptable and one is not. Which one is not encryptable?

A: If you answered number 2, a fax machine, then you are correct.

Here’s why:

You can encrypt both the files you store on your hard drive containing personal employee information and the email you use to communicate it to other HR staff and your broker. All you’ll need to do is purchase file encryption software and email encryption software, then have IT install it on all computers where personal employee information is housed and communicated.

You can also purchase (or get for free through your broker) an encrypted Human Resources Information System (HRIS) to securely store all vital employee and benefits information and protect it from being lost or stolen.

However, you cannot encrypt a fax machine. This means that effective March 1, 2010 when the law Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) goes into effect, employers’ days of faxing claim and enrollment forms are over, and for a good reason.

Think of it this way, you have a new hire enroll in a family plan for your health insurance, she fills out the paperwork and you fax it to your broker (or who you think is your broker) but you press a wrong key on the fax machine by accident. Who do you think your fax went to? It was certainly not your broker.

And, what do you think the person who received the fax did with it? Did they throw it away without shredding it (that’ll be a $50,000 check made payable to the Commonwealth of Massachusetts if the improperly disposed data gets stolen) or see the Social Security Numbers of your employee, her husband and two children and think, “Wow, four identities for the price of one!”?

How do you send employee personal information now that faxing it is obsolete?

If your encrypted HRIS system has secure communication capabilities (between the HR/benefits administrator and broker), scan the document and send it through your HRIS. Universal Benefit Plans’ proprietary dual-encrypted online HRIS system, The HR in a Box™ has a feature called the Agency Help Ticket Center that will do just this.

Instead of encrypting file after file on computer after computer, or purchasing encrypted email just for the purpose of communicating personal employee information, you could get The HR in a Box™ dual encrypted online secure information storage vault and communication vehicle for free.

Call us at (617) 859-1777 to see if your company qualifies; the clock to March 1 is ticking.

Want to learn more about the law Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) and the many other things you must do to get your company compliant?

On Monday August 17, three men (one American and two Russians) were charged with stealing personal data from more than 130 million credit and/or debit cards. Data was stolen from customers of Heartland Payment Systems, 7-Eleven, the Hannaford Brothers supermarket chain and two other unnamed corporate entities.

The men are charged with conspiring to hack into computer networks and stealing data as far back as October 2006. This hacking and identity theft case is believed to be the largest one the US Department of Justice has ever prosecuted.

How the breach was executed:

To tap into the retailers’ networks, the three hackers used a very sophisticated technique known as a SQL Injection Attack. This technique enabled them to maneuver around the Firewalls on computer networks containing credit and debit card data.

The hackers then installed “sniffers” on the victims’ computer systems to intercept credit and debit card data as transactions are processed.

How to prevent this from happening at your company:

Although hackers are always looking for new and innovative ways to access and compromise personal information, there are still things companies can do to help prevent a data breach.

1. Encrypt your networks

This is especially important if your company has a wireless network. According to a recent PC World article, both the TJX and Lowes data breaches were made possible because of non-existent wireless network security. That’s why you should secure your wireless network with encryption. Also, a form of authentication should be required for anyone to access the wireless network.

2. Stay on top of things

Make sure to consistently monitor all computer systems containing personal information. This frequent exposure will help sensitize you to the earliest signs of compromise or suspicious activity. That way, you’ll be alert and ready to take action before any major damage is done (or any major funds are lost).

3. Go above and beyond

This means that you should do more than the bare minimum at your company to pass a security audit. As much as we like to think lawmakers enact security laws because they have nothing better to do with their time, they really do have our best interest at heart.

Data security laws are there to protect your sensitive data on your computer networks. If you’re only doing the bare minimum that the lawmakers want, you might not be reaping the full benefit of these laws in the end.

Massachusetts’ Identity Theft Law:

In response to the huge, costly problem of identity theft, Massachusetts Governor Deval Patrick signed identity protection law 201 CMR 17.00. Effective March 1, 2010, this law is the toughest one any US state has passed to date.

To prepare businesses for compliance with this law, Universal Benefit Plans conducts free 30-minute educational webinars twice per-month. To sign up for a webinar, please visit www.universalbenefitplans.com and check out our events calendar.